b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n      Information Technology Management Letter \n\n                     for the FY 2008 \n\n         Transportation Security Administration \n\n               Financial Statement Audit \n\n                       (Redacted)\n\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General has redacted the report for public\n release. A review under the Freedom of Information Act will be conducted upon request.\n\n\n\n\nOIG-09-62                                                                                         April 2009\n\x0c                                                                        Office of Inspector General\n\n                                                                        U.S. Department of\n                                                                        Homeland Security\n                                                                        Washington, DC 20528\n\n\n\n\n                                   April 23, 2009\n\n                                      Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to\nthe Inspector General Act of 1978. This is one of a series of audit, inspection, and special\nreports prepared as part of our oversight responsibilities to promote economy, efficiency, and\neffectiveness within the department.\n\nThis report presents the information technology (IT) management letter for the FY 2008\nTransportation Security Administration (TSA) financial statement audit as of September 30,\n2008. It contains observations and recommendations related to information technology\ninternal control that were not required to be reported in the financial statement audit report\n(OIG-09-09, November 2008) and represents the separate restricted distribution report\nmentioned in that report. The independent accounting firm KPMG LLP (KPMG) performed\nthe audit of TSA\xe2\x80\x99s FY 2008 balance sheet and prepared this IT management letter. KPMG is\nresponsible for the attached IT management letter dated March 6, 2009, and the conclusions\nexpressed in it. We do not express opinions on TSA\xe2\x80\x99s financial statements or internal control\nor make conclusions on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We trust\nthis report will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner \n\n                                      Inspector General \n\n\x0c                                  KPMG LLP\n                                  2001 M Street, NW\n                                  Washington, DC 20036\n\n\n\n\nMarch 6, 2009\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nTransportation Security Administration\n\nChief Financial Officer\nTransportation Security Administration\n\nLadies and Gentlemen:\n\nWe audited the consolidated balance sheet of the U.S. Department of Homeland Security (DHS)\nTransportation Security Administration (TSA) as of September 30, 2008. The objective of our\nengagement was to express an opinion on the fair presentation of the consolidated balance sheet of TSA.\nIn connection with our fiscal year 2008 audit, we also considered TSA\xe2\x80\x99s internal controls over financial\nreporting, and tested TSA\xe2\x80\x99s compliance with certain provisions of applicable laws, regulations, contracts,\nand grant agreements that could have a direct and material effect on the consolidated balance sheet of\nTSA.\nIn connection with our fiscal year (FY) 2008 engagement, we considered TSA\xe2\x80\x99s internal control over\nfinancial reporting by obtaining an understanding of TSA\xe2\x80\x99s internal control, determining whether\ninternal controls had been placed in operation, assessing control risk, and performing tests of controls in\norder to determine our procedures. We limited our internal control testing to those controls necessary to\nachieve the objectives described in Government Auditing Standards and Office of Management and\nBudget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements. We did not\ntest all internal controls relevant to operating objectives as broadly defined by the Federal Managers\xe2\x80\x99\nFinancial Integrity Act of 1982 (FMFIA). The objective of our engagement was not to provide an\nopinion on the effectiveness of TSA\xe2\x80\x99s internal control over financial reporting. Accordingly, we do not\nexpress an opinion on the effectiveness of TSA\xe2\x80\x99s internal control over financial reporting. Further, other\nmatters involving internal control over financial reporting may have been identified and reported had we\nbeen able to perform all procedures necessary to express an opinion on the TSA balance sheet as of\nSeptember 30, 2008, and had we been engaged to audit the other FY 2008 financial statements.\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect\nmisstatements on a timely basis. A significant deficiency is a control deficiency, or combination of\ncontrol deficiencies, that adversely affects TSA\xe2\x80\x99s ability to initiate, authorize, record, process, or report\nfinancial data reliably in accordance with U.S. generally accepted accounting principles such that there\nis more than a remote likelihood that a misstatement of TSA\xe2\x80\x99s financial statements that is more than\ninconsequential will not be prevented or detected by TSA\xe2\x80\x99s internal control over financial reporting. A\nmaterial weakness is a significant deficiency, or combination of significant deficiencies, that results in\nmore than a remote likelihood that a material misstatement of the financial statements will not be\nprevented or detected by the entity\xe2\x80\x99s internal control.\n\n\n                                     KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is\n                                     a member of KPMG International, a Swiss cooperative.\n\x0cDuring our audit engagement, we noted certain matters with respect to TSA\xe2\x80\x99s financial systems\xe2\x80\x99\ninformation technology (IT) general controls which we believe contribute to a TSA-level significant\ndeficiency that is considered a material weakness in IT general and application controls. These matters\nare described in the IT General Control Findings by Audit Area section of this letter.\nThe material weakness and significant deficiency described above are presented in our Independent\nAuditors\xe2\x80\x99 Report, dated March 6, 2009. This letter represents the separate restricted distribution report\nmentioned in that report.\n\nAlthough not considered to be material weaknesses, we also noted certain other matters during our audit\nengagement which we would like to bring to your attention. These matters are also described in the IT\nGeneral Control Findings by Audit Area section of this letter.\nThe material weakness and other comments described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR),\nand is intended For Official Use Only. We aim to use our knowledge of TSA\xe2\x80\x99s organization gained\nduring our audit engagement to make comments and suggestions that we hope will be useful to you. We\nhave not considered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. In addition, we have\nprovided: a description of key TSA financial systems and information technology infrastructure within\nthe scope of the FY 2008 TSA balance sheet audit in Appendix A; a description of each internal control\nfinding in Appendix B; and the current year status of the prior year NFRs in Appendix C. Our comments\nrelated to financial management and reporting internal controls have been presented in a separate letter to\nthe Office of Inspector General and the TSA Chief Financial Officer dated March 6, 2009.\n\nThis report is intended solely for the information and use of TSA and DHS management, DHS Office of\nInspector General, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not\nintended to be and should not be used by anyone other than these specified parties.\n\nVery truly yours,\n\x0c                                Department of Homeland Security \n\n                             Transportation Security Administration \n\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n                 INFORMATION TECHNOLOGY MANAGEMENT LETTER \n\n\n                                      TABLE OF CONTENTS \n\n                                                                                               Page\n\n\nObjective, Scope and Approach                                                                   1\n\n\nSummary of Findings and Recommendations                                                         2\n\n\nIT General Control Findings by Audit Area                                                       3\n\n\n Findings Contributing to a Material Weakness in IT                                             3\n\n\n    Application Software Development and Change Controls                                        3\n\n\n Other Findings in IT General Controls                                                          4\n\n\n    Access Controls                                                                             4\n\n\n    Entity-Wide Security Program Planning and Management                                        4\n\n\n    Service Continuity                                                                          5\n\n\nApplication Control Findings                                                                    7\n\n\nManagement Comments and OIG Responses                                                           7\n\n\n                                           APPENDICES\n\n\n    Appendix                                       Subject\n                                                    \t                                         Page\n\n\n                      Description of Key TSA Financial Systems and IT Infrastructure within\n        A\t                                                                                      8\n                      the Scope of the FY 2008 TSA Financial Statement Audit\n\n\n\n        B\t            FY 2008 Notice of IT Findings and Recommendations at TSA                  10\n\n\n\n\n                      Status of Prior Year Notices of Findings and Recommendations and\n        C\t            Comparison to Current Year Notices of Findings and Recommendations        22\n\n                      at TSA\n\n\n\n\n        D             Management Comments \t                                                     30\n\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n\n\n                               OBJECTIVE, SCOPE AND APPROACH\n\nWe were engaged to perform an audit of the Transportation Security Administration\xe2\x80\x99s (TSA) Information\nTechnology (IT) general controls in support of the fiscal year (FY) 2008 TSA balance sheet audit\nengagement. The overall objective of our engagement was to evaluate the effectiveness of IT general\ncontrols of TSA\xe2\x80\x99s financial processing environment and related IT infrastructure as necessary to support\nthe engagement. The U.S. Coast Guard\xe2\x80\x99s                                hosts key financial applications for\nTSA. As such, our audit procedures over information technology (IT) general controls for TSA included\ntesting of the Coast Guard\xe2\x80\x99s          policies, procedures, and practices, as well as at TSA Headquarters.\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the Government\nAccountability Office (GAO), formed the basis of our audit. The scope of the TSA IT general controls\nassessment is described in Appendix A. FISCAM was designed to inform financial auditors about IT\ncontrols and related audit concerns to assist them in planning their audit work and to integrate the work of\nauditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors when\nconsidering the scope and extent of review that generally should be performed when evaluating general\ncontrols and the IT environment of a federal agency. FISCAM defines the following six control functions\nto be essential to the effective operation of the general IT controls environment.\n\n\xef\xbf\xbd\t Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a framework\n   and continuing cycle of activity for managing risk, developing security policies, assigning\n   responsibilities, and monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd\t Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to prevent the\n   implementation of unauthorized programs or modifications to existing programs.\n\xef\xbf\xbd\t System software (SS) \xe2\x80\x93 Controls that limit and monitor access to powerful programs that operate\n   computer hardware and secure applications supported by the system.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\xef\xbf\xbd\t Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n   interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices, as well as testing over key financial application controls. The technical\nsecurity testing was performed both over the Internet and from within select Coast Guard and TSA\nfacilities, and focused on test, development, and production devices that directly support TSA\xe2\x80\x99s financial\nprocessing and key general support systems.\n\nIn addition to testing TSA\xe2\x80\x99s general control environment, we performed application control tests on a\nlimited number of TSA\xe2\x80\x99s financial systems and applications. The application control testing was\nperformed to assess the controls that support the financial systems\xe2\x80\x99 internal controls over the input,\nprocessing, and output of financial data and transactions.\n\n\n\n\n                                                     1\n   Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n\n\xef\xbf\xbd\t Application Controls (APC) - Application controls are the structure, policies, and procedures that\n   apply to separate, individual application systems, such as accounts payable, inventory, payroll, grants,\n   or loans.\n\n\n                     SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring fiscal year (FY) 2008, TSA took corrective action to address prior year IT control weaknesses.\nFor example, TSA made improvements in testing disaster recovery procedures, reviewing audit logs, and\nimplementing emergency response training for all personnel with data center access. However, during\nFY 2008, we continued to identify IT general control weaknesses that impact TSA\xe2\x80\x99s financial data. The\nmost significant weaknesses from a financial statement audit perspective related to controls over the\ntermination of the contract with the software support vendor, the design and implementation of\nconfiguration management policies and procedures, and the development, implementation, and tracking\nof scripts at Coast Guard\xe2\x80\x99s           . Collectively, the IT control weaknesses limited TSA\xe2\x80\x99s ability to\nensure that critical financial and operational data were maintained in such a manner to ensure\nconfidentiality, integrity, and availability. In addition, these weaknesses negatively impacted the internal\ncontrols over TSA financial reporting and its operation and we consider them to collectively represent a\nmaterial weakness for TSA under standards established by the American Institute of Certified Public\nAccountants (AICPA). In addition, based upon the results of our test work, we noted that TSA did not\nfully comply with the requirements of the Federal Financial Management Improvement Act (FFMIA).\nOf the 15 findings identified during our FY 2008 testing, 13 are repeated findings, either partially or in\nwhole from the prior year, and 2 are new IT findings. These findings represent weaknesses in four of the\nsix FISCAM key control areas. Specifically, 1) unverified access controls through the lack of\ncomprehensive user access privilege re-certifications, 2) entity-wide security program issues involving\ncivilian and contractor background investigation weaknesses, 3) inadequately designed and operating\nchange control policies and procedures, and 4) the lack of updated disaster recovery plans which reflect\nthe current environment identified through testing. These weaknesses may increase the risk that the\nconfidentiality, integrity, and availability of system controls and TSA financial data could be exploited\nthereby compromising the integrity of financial data used by management and reported in TSA\xe2\x80\x99s financial\nstatements.\nWhile the recommendations made by KPMG should be considered by TSA, it is the ultimate\nresponsibility of TSA management to determine the most appropriate method(s) for addressing the\nweaknesses identified based on their system capabilities and available resources.\n\n\n\n\n                                                     2\n   Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n                      IT GENERAL CONTROL FINDINGS BY AUDIT AREA\n\nFindings Contributing to a Material Weakness in IT \n\n\n\nConditions: In FY 2008, the following IT and financial system control weaknesses were identified at\nTSA and contribute to a TSA-level significant deficiency that is considered a material weakness in IT\ngeneral and application controls.\n\n\nApplication software development and change controls \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t For the data scripts run at Coast Guard\xe2\x80\x99s            procedures over approval, testing, and\n       documentation requirements remain in draft form. The                             does not\n       consistently include all testing, approval, and implementation documentation for all scripts. In\n       addition, Coast Guard does not monitor scripts run in the database through audit logging and has\n       not developed a technical solution to monitor who accesses the database through\n       to run scripts or review what scripts are run.\n    \xef\xbf\xbd\t An examination of the data scripts run was conducted with an external, independent organization;\n       however, due to the many limitations over scope, the analysis was incomplete. Furthermore, the\n       analysis did not properly evaluate scripts as to financial statement impact, including current\n       versus prior year effect.\n    \xef\xbf\xbd\t Policies and procedures over software changes for the key financial applications during the\n       development and testing processes include multiple weaknesses over the design as well as the\n       implementation.\n\n\nRecommendations: Unless specifically noted where TSA needs to take specific corrective action, we\nrecommend that TSA work with the DHS Office of Chief Information Officer (OCIO) to ensure that the\nCoast Guard/       complete the following corrective actions:\n    \xef\xbf\xbd\t Continue to complete and implement the \n\n                      and \n         Change Control Policy.\n    \xef\xbf\xbd\t Implement and better document a single, integrated script change control process that includes\n       clear lines of authority to Coast Guard financial and IT management personnel, enforced\n       responsibilities of all participants in the process, and documentation requirements.\n    \xef\xbf\xbd\t Continue efforts to complete an in-depth analysis of active scripts, with the following objectives:\n       All changes to active scripts and new scripts should be subject to an appropriate software change\n       control process to include testing, reviews, and approvals, and all active scripts should be\n       reviewed for impact on financial statement balances.\n    \xef\xbf\xbd\t Develop and implement change control policies and procedures to verify that all software changes\n       are approved, tested, documented, tracked, and reviewed prior to deploying the changes into the\n       production environment in accordance with DHS Sensitive System Policy Handbook 4300A.\n\n\n\n\n                                                    3\n   Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                  Department of Homeland Security \n\n                               Transportation Security Administration \n\n                              Information Technology Management Letter\n                                         September 30, 2008\n\nOther Findings in IT General Controls \n\n\n\nAlthough not considered to be a material weakness, we also noted the following other matters related to\nIT and financial system control deficiencies during the FY08 TSA audit engagement:\n\n\n1.\t Access controls \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Access review procedures for key financial applications do not include the review of all user\n       accounts to ensure that all terminated individuals no longer have active accounts, inactive\n       accounts are locked, and privileges associated with each individual are still authorized and\n       necessary.\n    \xef\xbf\xbd\t Security configuration management weaknesses exist on hosts supporting the key financial\n       applications and the underlying general support systems.\n    \xef\xbf\xbd\t Security patch management weaknesses exist on hosts supporting the key financial applications\n       and general support systems.\n    \xef\xbf\xbd\t The computer access agreement and exit clearance procedures for TSA employees have not been\n       consistently implemented.\n\n\n2.\t Entity-wide security program planning and management \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t The contract between Coast Guard and the support vendor does not include security configuration\n       requirements that must be adhered to during the configuration management process. Coast Guard\n       terminated the contract in FY 2008; however, during the first half of the fiscal year, the contract\n       was still in place and no corrective action had taken place related to the prior year\n       recommendation.\n    \xef\xbf\xbd\t Coast Guard\xe2\x80\x99s policies and procedures have not been implemented to require that a favorably\n       adjudicated background investigation be completed for all contractor personnel.\n    \xef\xbf\xbd\t Background investigations for all civilian Coast Guard employees have not been completed and\n       civilian position sensitivity designations have not been determined in accordance with DHS\n       guidance.\n    \xef\xbf\xbd\t There are weaknesses in Specialized Role-based Training for             Individuals with\n       Significant Security Responsibilities.\n    \xef\xbf\xbd\t A risk assessment for the major financial applications has not been completed and the associated\n       System Security Plan remains in draft form.\n    \xef\xbf\xbd\t IT security awareness training has not been completed by all TSA personnel prior to gaining\n       access to the major financial applications.\n\n\n3.\t Service continuity \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t The Coast Guard              Continuity of Operations Plan (COOP) has not been updated to reflect\n       the results of testing and the division Business Continuity Plans have not been finalized. TSA\xe2\x80\x99s\n       key financial applications are hosted at\n\n                                                    4\n   Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n\n\nRecommendations: Unless specifically noted where TSA needs to take specific corrective action, we\nrecommend that TSA work with the DHS OCFIO to ensure that the Coast Guard/FINCEN complete the\nfollowing corrective actions:\n\n\n1.\t For access controls:\n    \xef\xbf\xbd\t Actively monitor the use of and changes related to operating systems and other sensitive utility\n       software and hardware. Additionally, perform corrective actions on the specific patch and\n       configuration weaknesses identified.\n    \xef\xbf\xbd\t Implement the Employee Exit Clearance Procedures by completing, certifying, and maintaining\n       all forms required during the exit process for employees and contractors (TSA alone needs to take\n       this corrective action).\n    \xef\xbf\xbd\t Implement the IT Security Policy Handbook by verifying that all TSA employees and contractors\n       sign a computer access agreement prior to being granted system access (TSA alone needs to take\n       this corrective action).\n    \xef\xbf\xbd\t Update the quarterly review process to include procedures surrounding the recertification of\n       accounts with elevated privileges on the Unit Approved Plan. In addition, the recertification\n       process should be documented, include supervisor written approval and occur on an at least\n       annual basis (TSA alone needs to take this corrective action).\n    \xef\xbf\xbd\t Develop and implement procedures to require a periodic review by supervisors of all financial\n       application and database user accounts and their associated privileges. These procedures should\n       include steps to verify that all terminated individuals no longer have active accounts, that inactive\n       accounts are locked and that privileges associated with each individual are still authorized and\n       necessary.\n    \xef\xbf\xbd\t Update procedures to ensure that a documented and approved access authorization request is\n       completed for each individual prior to granting him/her access to the key financial applications or\n       databases.\n2.\t For entity-wide security program planning and management:\n    \xef\xbf\xbd\t Create and implement contractor background investigation policies and procedures in order to\n       establish requirements and ensure compliance with DHS Sensitive System Policy Handbook\n       4300A. This includes the verification that all contracts issued by the Coast Guard include the\n       appropriate Coast Guard position sensitivity designation requirements for contracted personnel.\n    \xef\xbf\xbd\t Perform initial background investigations and re-investigations for civilian employees in\n       accordance with position sensitivity designations at no less than the Moderate level as required by\n       DHS directives. In addition, conduct civilian background re-investigations every ten (10) years,\n       as required by DHS directives, to ensure that each employee has a favorably adjudicated and valid\n       Minimum Background Investigation (MBI).\n    \xef\xbf\xbd\t Finalize and implement the Role-Based Training which would require personnel with significant\n       information security responsibilities to complete specialized role-based training on an annual\n       basis. Develop and deploy this specialized role-based training and implement the use of the\n       Training Management Tool in order to track and verify specialized role-based training\n       requirements compliance.\n\n                                                     5\n   Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2008\n\n\n    \xef\xbf\xbd\t Finalize and implement the C&A Package for the key financial systems in accordance with DHS\n       and National Institute of Standards and Technology (NIST) guidance.\n    \xef\xbf\xbd\t Enforce mandatory completion of security awareness training by holding groups responsible and\n       accountable as a performance measure for monitoring the training of their employees (TSA alone\n       needs to take this corrective action).\n\n\n3.\t For service continuity:\n    \xef\xbf\xbd\t Update the COOP to include the results of its testing and finalize the applicable supporting \n\n       business continuity plans. \n\n\nCause/Effect: Many of these weaknesses were inherited from the lack of properly designed, detailed, and\nconsistent guidance over financial system controls to enforce DHS Sensitive System Policy Directive\n4300A and NIST guidance. The lack of documented and implemented security configuration\nmanagement controls may result in security responsibilities communicated to system developers\nimproperly as well as the improper implementation and monitoring of system changes by Coast Guard\nmanagement. This also increases the risk of unsubstantiated changes as well as changes that may\nintroduce errors or data integrity issues that are not easily traceable back to the changes. In addition, it\nincreases the risk of undocumented and unauthorized changes to critical or sensitive information and\nsystems. This may reduce the reliability of information produced by these systems. In addition,\nreasonable assurance should be provided that financial system user access levels are limited and\nmonitored by both TSA and Coast Guard management for appropriateness and that all user accounts\nbelong to current employees. This is particularly essential for those user accounts that have been\nidentified as having elevated privileges. The weaknesses identified within TSA\xe2\x80\x99s access controls\nincreases the risk that employees and contractors may have access to a system that is outside the realm of\ntheir job responsibilities or that a separated individual, or another person with knowledge of an active\naccount of a terminated employee, could use the account to alter the data contained within the application\nor database. This may also increase the risk that the confidentiality, integrity, and availability of system\ncontrols and the financial data could be exploited thereby compromising the integrity of financial data\nused by management and reported in the DHS financial statements. In addition, without proper personnel\nsecurity measures in place, such as background investigations, TSA financial data could be\ninappropriately manipulated by contract personnel whose intent is to create havoc or inappropriate\nfinancial gain. Lastly, the lack of finalized plans for the recovery of critical          operations and key\nTSA financial system data may potentially increase the risk of delayed recovery efforts during a disaster.\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic\nGovernment Act of 2002, mandates that Federal entities maintain IT security programs in accordance with\nOMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources, and\nvarious NIST guidelines describe specific essential criteria for maintaining effective general IT controls. In\naddition, OMB Circular No. A-127 prescribes policies and standards for executive departments and agencies\nto follow in developing, operating, evaluating, and reporting on financial management systems. FFMIA sets\nforth legislation prescribing policies and standards for executive departments and agencies to follow in\ndeveloping, operating, evaluating, and reporting on financial management systems. The purpose of FFMIA is\nin relevant part: (1) to provide for consistency of accounting by an agency from one fiscal year to the next,\nand uniform accounting standards throughout the Federal Government; (2) require Federal financial\nmanagement systems to support full disclosure of Federal financial data, including the full costs of Federal\nprograms and activities; (3) increase the accountability and credibility of federal financial management; (4)\n\n                                                     6\n   Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                   Department of Homeland Security \n\n                                Transportation Security Administration \n\n                               Information Technology Management Letter\n                                          September 30, 2008\n\nimprove performance, productivity and efficiency of Federal Government financial management; and (5)\nestablish financial management systems to support controlling the cost of Federal Government. In closing,\nfor this year\xe2\x80\x99s IT audit we assessed the DHS component\xe2\x80\x99s compliance with DHS Sensitive System Policy\nDirective 4300A.\n\n\n\n                               APPLICATION CONTROL FINDINGS\n\n\nWe did not identify any findings in the area of application controls during the fiscal year 2008 TSA audit\nengagement.\n\n\n\n                       MANAGEMENT COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from the TSA Assistant Administrator and Chief\nFinancial Officer. Generally, TSA management agreed with all of our findings and recommendations and\nthey have developed a remediation plan to address them. We have incorporated these comments where\nappropriate and included a copy of the comments in Appendix D.\n\nOIG Response\n\nWe agree with the steps that TSA\xe2\x80\x99s management is taking to satisfy these recommendations.\n\n\n\n\n                                                    7\n   Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                             Appendix A \n\n\n                           Department of Homeland Security \n\n                        Transportation Security Administration\n\n                       Information Technology Management Letter\n                                  September 30, 2008\n\n\n\n\n                                  Appendix A\n\nDescription of Key TSA Financial Systems and IT Infrastructure\nwithin the Scope of the FY 2008 TSA Financial Statement Audit\n\n\n\n\n                                          8\nInformation Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                          Appendix A \n\n\n                               Department of Homeland Security \n\n                            Transportation Security Administration\n\n                           Information Technology Management Letter\n                                      September 30, 2008\n\n\nBelow is a description of significant TSA financial management systems and supporting Information\nTechnology (IT) infrastructure included in the scope of the engagement to perform the financial\nstatement audit.\n\n\nLocations of Audit: TSA                in                    and the Coast Guard\n                                   . TSA\xe2\x80\x99s financial applications are hosted on the Coast Guard\xe2\x80\x99s IT\nplatforms.\n\nKey Systems Subject to Audit:\n\xef\xbf\xbd                                  : Core accounting system that is the principal general ledger for\n   recording financial transactions for the Coast Guard.      is hosted at           , the Coast\n   Guard\xe2\x80\x99s primary data center. It is a customized version of         Financials.\n\xef\xbf\xbd                                          : Used to create and post obligations to the core\n    accounting system. It allows users to enter funding, create purchase requests, issue procurement\n    documents, perform system administration responsibilities, and reconcile weekly program\n    element status reports.     is interconnected with the       system and is hosted at         .\n\xef\xbf\xbd               :           is a customized third party commercial off the shelf (COTS) product\n    hosted at           and used for TSA and                                 property management.\n              interacts directly with the     module in       Additionally,            is \n\n    interconnected to the \n     system.\n\n\n\n\n                                                 9\nInformation Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                   Appendix B \n\n                              Department of Homeland Security \n\n                           Transportation Security Administration\n\n                          Information Technology Management Letter\n                                     September 30, 2008\n\n\n\n\n                                      Appendix B \n\n\nFY2008 Notice of IT Findings and Recommendations \xe2\x80\x93 Transportation \n\n                      Security Administration\n\n\n\n\n\n                                            10\n   Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                       Appendix B \n\n                                       Department of Homeland Security \n\n                                    Transportation Security Administration\n\n                                   Information Technology Management Letter\n                                              September 30, 2008\n\n\nNotice of Findings and Recommendations \xe2\x80\x93 Definition of Risk Ratings**:\n\nThe Notices of Findings and Recommendations (NFR) were risk ranked as High, Medium, and Low** based\nupon the potential impact that each weakness could have on TSA\xe2\x80\x99s information technology (IT) general control\nenvironment and the integrity of the financial data residing on TSA\xe2\x80\x99s financial systems, and the pervasiveness of\nthe weakness.\n\n** The risk ratings are intended only to assist management in prioritizing corrective actions, considering\nthe potential benefit of the corrective action to strengthen the IT general control environment and/or the integrity\nof the DHS consolidated financial statements. The risk ratings, used in this context, are not defined by\nGovernment Auditing Standards, issued by the Comptroller General of the United States, or the American\nInstitute of Certified Public Accountants (AICPA) Professional Standards, and do not necessarily correlate to a\nsignificant deficiency, as defined by the AICPA Standards and reported in our Independent Auditors\xe2\x80\x99 Report on\nthe TSA balance sheet, dated March 6, 2009.\n\nCorrection of some higher risk findings may help mitigate the severity of lower risk findings, and possibly\nfunction as a compensating control. In addition, analysis was conducted collectively on all NFRs to assess\nconnections between individual NFRs, which when joined together could lead to a control weakness occurring\nwith more likelihood and/or higher impact potential.\n\nHigh Risk**: A control weakness that is more serious in nature affecting a broader range of financial IT\nsystems, or having a more significant impact on the IT general control environment and /or the integrity of the\nfinancial statements as a whole.\n\nMedium Risk**: A control weakness that is less severe in nature, but in conjunction with other IT general\ncontrol weaknesses identified, may have a significant impact on the IT general control environment and / or the\nintegrity of the financial statements as a whole.\n\nLow Risk**: A control weakness minimal in impact to the IT general control environment and / or the integrity\nof the financial statements.\n\n\n\n\n                                                        11\n      Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                Appendix B \n\n                           Department of Homeland Security \n\n                        Transportation Security Administration\n\n                       Information Technology Management Letter\n                                  September 30, 2008\n\n\n\n\n           Transportation Security Administration \n\n    FY2008 Information Technology - Notice of Findings and \n\n                 Recommendations \xe2\x80\x93 Detail \n\n\n\n\n\n                                         12\nInformation Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                                                       Appendix B \n\n                                                      Department of Homeland Security \n\n                                                   Transportation Security Administration\n\n                                                  Information Technology Management Letter\n                                                             September 30, 2008\n\n                                                  Department of Homeland Security\n\n                                               Transportation Security Administration \n\n                                                   FY2008 Information Technology \n\n                                          Notice of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n\n\n                                                                                                                                       Repeat    Risk\nNFR #                             Condition                                            Recommendation                      New Issue\n                                                                                                                                        Issue   Rating*\nIT-08-01   The COOP has not been updated to reflect the results        We recommend that TSA monitor                                      X      Low\n           of testing and the division business continuity plans       efforts to update the COOP as the result of its\n           have not been finalized.                                    testing and finalize the applicable supporting\n                                                                       business continuity plans.\nIT-08-03   During the first half of the year, the contract with the    We recommend that TSA work with the DHS                           X       High\n                      , and             software vendor was still      Chief Information Officer to ensure that Coast\n           in place and no corrective action taken had taken           Guard Headquarters completes, in a timely\n           place related to the prior year recommendation.             manner, the planned corrective actions of the\n           Therefore, the risk of the preexisting condition was        following:\n           present for the majority of the year (October 1, 2007       \xef\xbf\xbd Coast Guard Headquarters enhance their\n           through April 1, 2008).                                          existing Configuration Management/Change\n                                                                            Management policies and procedures to\n           However due to the Coast Guard decision to terminate             explicitly address security configurations\n           the contract with their software vendor, and the Coast           and software patches (e.g., those associated\n           Guard Headquarters decision to suspend all SPRs and              with system/application \xe2\x80\x9cbuilds\xe2\x80\x9d, service\n           SCRs until the instructions are lifted this condition did        packs, and maintenance releases) to better\n           not exist beyond the date of these two events.                   ensure compliance with DHS requirements\n                                                                            and NIST guidance.\n                                                                       \xef\xbf\xbd Coast Guard Headquarters and the\n                                                                            applicable Coast Guard locations\n                                                                            communicate with and educate affected staff\n                                                                            regarding these improved policies and\n                                                                            procedures.\n                                                                       \xef\xbf\xbd Coast Guard Headquarters develop,\n                                                                            communicate, and implement procedures to\n                                                                            periodically review system changes and\n                                                                            system baselines.\n                                                                         13\n                  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                                                      Appendix B \n\n                                                     Department of Homeland Security \n\n                                                  Transportation Security Administration\n\n                                                 Information Technology Management Letter\n                                                            September 30, 2008\n\n                                                                                                                                      Repeat    Risk\nNFR #                            Condition                                           Recommendation                       New Issue\n                                                                                                                                       Issue   Rating*\nIT-08-05   Coast Guard Headquarters has developed but not yet        We recommend that TSA work with the DHS                             X      High\n           implemented policies or procedures to require that a      Chief Information Officer to ensure that Coast\n           favorably adjudicated background investigation be         Guard Headquarters completes, in a timely\n           completed for all contractor personnel.                   manner, the planned corrective actions to create\n                                                                     and implement contractor background\n                                                                     investigation policies and procedures in order to\n                                                                     establish requirements and ensure compliance with\n                                                                     DHS Sensitive System Policy Directive 4300A.\n                                                                     This includes the verification that all contracts\n                                                                     issued by the Coast Guard include the appropriate\n                                                                     Coast Guard position sensitivity designation\n                                                                     requirements for contracted personnel.\nIT-08-06   The Role-Based Training for USCG Information              We recommend that TSA monitor Coast Guard                          X      Medium\n           Assurance Professionals Commandant Instruction is         Headquarters\xe2\x80\x99 efforts to complete planned\n           still in draft form and has not been fully implemented.   corrective actions to:\n                                                                     \xef\xbf\xbd Continue efforts to finalize and implement the\n                                                                         Role-Based Training for USCG Information\n                                                                         Assurance Professionals Commandant\n                                                                         Instruction which would require personnel\n                                                                         with significant information security\n                                                                         responsibilities to complete specialized role-\n                                                                         based training on an annual basis.\n                                                                     \xef\xbf\xbd    Develop and deploy this specialized role-\n                                                                          based training throughout the Coast Guard.\n                                                                     \xef\xbf\xbd    Implement the use of the Training\n                                                                          Management Tool in order to track and verify\n                                                                          specialized role-based training requirements\n                                                                          compliance.\n\n\n\n\n                                                                         14\n                  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                                                         Appendix B\n                                                     Department of Homeland Security\n                                                  Transportation Security Administration\n                                                 Information Technology Management Letter\n                                                            September 30, 2008\n\n                                                                                                                                         Repeat    Risk\nNFR #                            Condition                                            Recommendation                         New Issue\n                                                                                                                                          Issue   Rating*\nIT-08-13   FINCEN is in the process of updating and finalizing        We recommend that TSA monitor that                is                  X      Low\n           the C&A Package for the               . The                taking corrective action to finalize and implement\n           comprehensive CAS Suite SSP will include the major         the C&A Package for the                in accordance\n           subsystems                              , and              with DHS and NIST guidance.\n                        and financial supporting applications\n                                        and will be used instead of\n           an individual SSP for each system. The         also\n           identifies the management controls around risk\n           assessments, planning, security assessments,        ,\n           and systems and services acquisition.\nIT-08-15   Of the 669 employees/contractors with current access       We recommend that TSA perform the following                          X      Medium\n           to the following TSA\xe2\x80\x99s financial applications:        ,    corrective actions:\n                                ; 152 employees/contractors have      \xef\xbf\xbd Enforce mandatory completion of Security\n           not completed the IT Security Awareness Training.              Awareness Training by holding groups\n                                                                          responsible and accountable as a\n                                                                          performance measure for monitoring the\n                                                                          training of their employees.\n\n\n\n\n                                                                      \t\n                                                                      \xef\xbf\xbd Revoke system access of employees who do\n                                                                          not complete the required annual security\n                                                                          awareness training before the deadline and\n                                                                          until the employees subsequently completes\n                                                                          the required training.\nIT-08-18   Configuration management weaknesses continue to            We recommend that TSA work with the DHS                              X      Medium\n           exist on hosts supporting the       and                    Chief Information Officer to ensure that Coast\n                      applications and the .                          Guard\xe2\x80\x99s             completes, in a timely manner,\n                                                                      the planned corrective actions of the following:\n           Note: See the tables in the NFR for the specific           \xef\xbf\xbd Implement the corrective actions noted in\n           conditions.                                                    the tables above.\n                                                                      \t\n\n\n                                                                      \xef\xbf\xbd Implement polices and procedures to ensure\n                                                                          that the software builds created by CG are\n                                                                          tested, prior to implementation, to ensure that\n                                                                          all software security configurations, such as\n                                                                          software patches and non-compliant settings,\n                                                                          are up to date.\n\n\n                                                                        15\n                  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                                                        Appendix B \n\n                                                     Department of Homeland Security \n\n                                                  Transportation Security Administration\n\n                                                 Information Technology Management Letter\n                                                            September 30, 2008\n\n                                                                                                                                        Repeat    Risk\nNFR #                            Condition                                           Recommendation                         New Issue\n                                                                                                                                         Issue   Rating*\nIT-08-19   Patch management weaknesses continue to exist on          We recommend that TSA work with the DHS                               X     Medium\n           hosts supporting the        and                           Chief Information Officer to ensure that Coast\n           applications and the .                                    Guard Headquarters\xe2\x80\x99 completes, in a timely\n                                                                     manner, the planned corrective actions of the\n           Note: See the tables in the NFR for the specific          following:\n           conditions.                                               \xef\xbf\xbd Implement the corrective actions noted in\n                                                                          the NFR.\n                                                                     \xef\xbf\xbd Implement polices and procedures to ensure\n                                                                          that the software builds created by CG are\n                                                                          tested, prior to implementation, to ensure that\n                                                                          all software security configurations, such as\n                                                                          software patches.\nIT-08-20   We were unable to obtain 21 1163 Forms and 27 1402        We recommend that TSA perform the following                          X      Medium\n           Forms for each sample of 40. Additionally, 2 of the       corrective actions:\n           13 1402 Forms received were signed after the forms        \xef\xbf\xbd Implement the Employee Exit Clearance\n           were requested for audit.                                      Procedures by completing, certifying, and\n                                                                          maintaining all forms required during the\n           The IT Security Policy Handbook requires all TSA               exit process for employees and contractors.\n           personnel including contractors to review and sign the\n           TSA Form 1403: Computer Access Agreement.                 \xef\xbf\xbd    Implement the IT Security Policy Handbook\n                                                                          by verifying that all TSA employees and\n           However, we were unable to obtain 7 of the 25, 1403:\n                                                                          contractors sign a computer access agreement\n           Computer Access Agreements sampled. Of the 18\n                                                                          prior to being granted system access.\n           forms we obtained, 5 were dated after the sample was\n           requested for audit.\nIT-08-21   The change control policy has not been fully              We recommend TSA continue to complete and                            X      Medium\n           completed and implemented. The United States Coast        implements the following sections of the    ,\n           Guard (CG) is responsible for making software                                 Change Control Policy: Build\n           changes to the             and            applications,   Selection Process, Software Development Process,\n           however, on March 31, 2008, CG HQ terminated its          and Software Testing Process.\n           contract with the software vendor/developer for       ,\n                 and            , which has hindered TSA\xe2\x80\x99s ability\n           to fully complete and implement the              and\n                      change control policy.\n\nIT-08-22   Control weaknesses still exist within the design of       We recommend that TSA work with the DHS                              X       High\n\n                                                                         16\n                  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                                                        Appendix B \n\n                                                      Department of Homeland Security \n\n                                                   Transportation Security Administration\n\n                                                  Information Technology Management Letter\n                                                             September 30, 2008\n\n                                                                                                                                        Repeat    Risk\nNFR #                             Condition                                           Recommendation                        New Issue\n                                                                                                                                         Issue   Rating*\n           Coast Guard\xe2\x80\x99s Configuration Management policies            Chief Information Officer to ensure that Coast\n           and procedures for                             , as well   Guard Headquarters\xe2\x80\x99 completes, in a timely\n           as the operating effectiveness of those controls. Our      manner, the planned corrective actions of the\n           test work over the design of the change controls           following:\n           covered both periods of the change control                 \xef\xbf\xbd The              develop, implement,\n           environment; however, our testing of operating                  communicate, and enforce procedures\n           effectiveness covered only the period of start of the           regarding how changes are to be controlled,\n           fiscal year through March 2008, since there were no             documented, tracked, and reviewed as these\n           changes made to                                  from           changes progress through testing and into\n           April through the remainder of the fiscal year.                 production.\n                                                                      \xef\xbf\xbd Coast Guard Headquarters develop,\n                                                                           implement, communicate, and enforce\n                                                                           procedures regarding how change control\n                                                                           documentation will be maintained, reviewed,\n                                                                           and validated in accordance with DHS\n                                                                           Sensitive System Policy Directive 4300A.\nIT-08-23   Coast Guard\xe2\x80\x99s controls over the scripting process          TSA does not have the ability to take corrective                    X       High\n           remain ineffective. Weaknesses were noted in controls      actions to remediate these control issues on their\n           over script implementation, approvals and testing, as      own. Therefore it should be made clear that TSA\n           well as active script modification. In addition, Coast     is dependent on the Coast Guard to take the\n           Guard has not maintained or developed a population         necessary action. In order for management to\n           of scripts run since the inception of      in 2003 nor     assert to any financial statement line items, we\n           has it performed a historical analysis of script impact    recommend that TSA work with the DHS Chief\n           on the cumulative balances in permanent accounts of        Financial Officer and the DHS Chief Information\n           the financial statements. Specifically:                    Officer to ensure that Coast Guard Headquarters'\n             \xef\xbf\xbd Coast Guard lacks a formal process to distinguish      completes, in a timely manner, the planned\n               between the module lead approvers for script           corrective actions to:\n               approval requests (Conditions #1 & #2);                \xef\xbf\xbd Continue to design, document, implement, and\n                                                                           demonstrate the effectiveness of internal\n             \xef\xbf\xbd The Procedures for Data Scripts do not                      controls associated with the active (current\n               specifically state the testing and documentation            and future) scripts.\n               requirements for blanket approval scripts and this\n                                                                      \xef\xbf\xbd Identify and evaluate the historical scripts (all\n               policy remains in draft form (Conditions # 3 &\n                                                                           those implemented prior to those identified in\n               #4);\n                                                                           recommendation 1 above) to determine the\n             \xef\xbf\xbd Coast Guard does not monitor scripts run in the             financial statement impact on cumulative\n\n                                                                        17\n                  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                                                        Appendix B \n\n                                                  Department of Homeland Security \n\n                                               Transportation Security Administration\n\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                        Repeat    Risk\nNFR #                         Condition                                             Recommendation                          New Issue\n                                                                                                                                         Issue   Rating*\n            database through audit logging and has not                 balances in permanent accounts; and develop\n            developed a technical solution to monitor who              and maintain supporting procedures related to\n            accesses the database through              to              each script.\n            run scripts or review what scripts are run             With respect to procedures already in place, TSA\n            (Conditions #5 & #6);                                  should work with the DHS Chief Financial Officer\n          \xef\xbf\xbd The                          does not consistently     and the DHS Chief Information Officer to ensure\n            include all testing, approval, and implementation      that Coast Guard Headquarters completes, in a\n            documentation for all scripts (Condition #7); and      timely manner, the corrective actions to:\n                                                                   \xef\xbf\xbd Continue to update script policies and\n          \xef\xbf\xbd Coast  Guard has not completed                             procedures to include clear guidance over\n            documentation for all scripts executed since their         module lead approvers, testing and\n            implementation (Condition #8).                             documentation requirements, monitoring/audit\n        Additionally, although Coast Guard did conduct an              log    reviews,    and     blanket    approval\n        examination with an external contractor organization,          requirements.\n        we have determined that the analysis was incomplete.       \xef\xbf\xbd   Finalize and implement policies and\n        Specifically, due to the many limitations over scope, it       procedures governing the script change control\n        did not consider the full population of scripts run at         process including completing records within\n                   currently or since the inception of     .           the                            for all executed\n        Furthermore, the analysis did not properly evaluate            scripts and ensuring that all scripts are tested\n        scripts as to financial statement impact, including            in an appropriate test environment prior to\n        current versus prior year effect (Condition #9)                being put into production.\n                                                                   Regarding the actual scripts themselves, TSA\n                                                                   should work with the DHS Chief Financial Officer\n                                                                   and the DHS Chief Information Officer to ensure\n                                                                   that Coast Guard Headquarters completes, in a\n                                                                   timely manner, the corrective actions to:\n                                                                   \xef\xbf\xbd Determine the root causes and specific\n                                                                       detailed actions necessary to correct the\n                                                                       conditions that resulted in scripts, for the total\n                                                                       population of scripts run at             in order\n                                                                       to develop system upgrades that would\n                                                                       eliminate the use of some of the scripts.\n                                                                   \xef\xbf\xbd    Continue efforts to complete an in-depth\n                                                                        analysis of active scripts, with the following\n\n                                                                       18\n               Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                                                         Appendix B \n\n                                                     Department of Homeland Security \n\n                                                  Transportation Security Administration\n\n                                                 Information Technology Management Letter\n                                                            September 30, 2008\n\n                                                                                                                                         Repeat    Risk\nNFR #                            Condition                                            Recommendation                         New Issue\n                                                                                                                                          Issue   Rating*\n                                                                         objectives:\n                                                                          o All changes to active scripts and new\n                                                                            scripts should be subject to an appropriate\n                                                                            software change control process to include\n                                                                            testing, reviews, and approvals.\n                                                                          o All active scripts should be reviewed for\n                                                                            impact on financial statement balances.\nIT-08-24   Although Coast Guard Headquarters is in the process       We recommend that TSA work with the DHS                               X      Medium\n           of completing background investigations for all           Chief Information Officer to ensure that Coast\n           civilian employees, this has not been completed.          Guard Headquarters' completes, in a timely\n           Additionally, Coast Guard has set its position            manner, the following planned corrective actions:\n           sensitivity designations to Low for the majority of its\n           employees. However, DHS requires position                 \xef\xbf\xbd    Perform the initial background investigations\n           sensitivity designations no less than Moderate which           and re-investigations for civilian employees in\n           equates to a Minimum Background Check (MBI).                   accordance      with     position    sensitivity\n                                                                          designations at no less than the Moderate level\n                                                                          as required by DHS directives; and\n                                                                     \xef\xbf\xbd   Conduct civilian background re-investigations\n                                                                         every ten (10) years, as required by DHS\n                                                                         directives, to ensure that each employee has a\n                                                                         favorably adjudicated and valid MBI\nIT-08-26   Although procedures surrounding user access privilege     We recommend that TSA work with the DHS                    X                 Medium\n           re-certifications have been developed, we noted that      Chief Information Officer to ensure that the Coast\n           the process does not include all           , and          Guard\xe2\x80\x99s            completes, in a timely manner,\n                       users and does not involve users\xe2\x80\x99             the planned corrective actions to:\n           supervisors as required by DHS Sensitive System           \xef\xbf\xbd Implement and document the             user\n           Policy Directive 4300A. Additionally, we noted that           access review procedures to include all\n           AAR forms are not being completed for all users on a          access privileges and include supervisors in\n           consistent basis and we identified instances where            each review.\n           system access was granted prior to the AAR approval\n           by a supervisor.                                          \xef\xbf\xbd    Update procedures to ensure that a\n                                                                          documented and approved access\n                                                                          authorization request is completed for each\n                                                                          individual prior to granting him/her access to\n                                                                          the             and             applications or\n\n                                                                         19\n                  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                                                            Appendix B\n                                                         Department of Homeland Security\n                                                      Transportation Security Administration\n                                                     Information Technology Management Letter\n                                                                September 30, 2008\n\n                                                                                                                                            Repeat    Risk\n      NFR #                           Condition                                            Recommendation                       New Issue\n                                                                                                                                             Issue   Rating*\n                                                                              databases.\n\n\n\n\n     IT-08-27   Although TSA has implemented quarterly access             We recommend that TSA update the                         X                 Medium\n                reviews for                user accounts and identified   and       Site Administrator User and Role \n\n                accounts with elevated privileges, TSA has not \n          Quarterly Review Process to include procedures \n\n                ensured that the \n              accounts with an          surrounding the recertification of accounts with \n\n                increased risk associated with them are \n                 elevated privileges on the Unit Approved Plan. In \n\n                reviewed/authorized on a periodic basis by a \n            addition, the recertification process should be \n\n                supervisor. \n                                             documented, include supervisor written approval\n                                                                          and occur on an at least annual basis.\n\n\n\n\n* Risk ratings are only intended to assist management in prioritizing corrective actions. Risk ratings in this context do not correlate to\ndefinitions of control deficiencies as identified by the AICPA.\n\n\n\n\n                                                                            20\n                       Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                            Appendix C \n\n\n                           Department of Homeland Security \n\n                        Transportation Security Administration\n\n                       Information Technology Management Letter\n                                  September 30, 2008\n\n\n\n\n                                  Appendix C \n\n\nStatus of Prior Year Notices of Findings and Recommendations \n\n                     And Comparison To\n\n   Current Year Notices of Findings and Recommendations \n\n\n\n\n\nStatus of Prior Year Notices of Findings and Recommendations and Comparison To\n\n\n                                         22\nInformation Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                      Appendix C \n\n\n                                     Department of Homeland Security \n\n                                  Transportation Security Administration\n\n                                 Information Technology Management Letter\n                                            September 30, 2008\n\n                 Current Year Notices of Findings and Recommendations at TSA\n                                                                                                         Disposition\nNFR No.            Description                                                                     Closed         Repeat\n\n TSA- IT-07-01      The disaster recovery aspect of the COOP will be completed by                                  08-01\n                    September 30, 2007 with the business continuity and continuity of\n                    government aspects of the COOP not being completed until\n                    December 2007. Because the COOP is in draft form, it has not yet\n                    been tested; however,                plans to test the entire COOP prior to\n                    it being implemented. Lastly, the                 has drafted a\n                    memorandum of understanding (MOU) with the\n                                     for reciprocal services; however, the MOU is currently\n                    in draft form.\n TSA- IT-07-02                 is in the process of developing of a Continuity of                    X\n                    Operations Plan (COOP) which addresses disaster recovery, business\n                    continuity and continuity of government for                   . The disaster\n                    recovery aspect of the COOP will be completed by September 30,\n                    2007 with the business continuity and continuity of government\n                    aspects of the COOP not being completed until December 2007.\n                    Because the COOP is in draft form, it has not yet been tested;\n                    however,               plans to test the entire COOP prior to it being\n                    implemented. Lastly, the                 has drafted a MOU with the\n                    for reciprocal services; however, the MOU is currently in draft form.\n\n\n TSA-IT-07-03       The contract that CG HQ has with the              and                                          08-03\n                    software vendor does not include security configuration\n                    requirements that must be adhered to during the configuration\n                    management process. Consequently,                and\n                    builds and maintenance packs may not be configured and\n                    implemented with comprehensive security configuration\n                    requirements. CG recognizes the absence of security requirements\n                    and indicated that the contract with the vendor will be reassessed in\n                    2008 during the contract renewal process with CG HQ and\n                    corrective actions will be taken at that time.\n TSA-IT-07-04       19 individuals, specified below, had 24 hour a day access to the data            X\n                    center and had not yet completed the training:\n                    - 13 individuals (building owners, property managers and their\n                    respective contractors);\n                    - 4 members of            Senior Management; and\n                    - 2 security guards.\n\n                    Lastly, we identified four employees, each with 24 hour access to the\n                    data center that had not yet completed the training as of July 2007.\n                    Upon notifying            of this exception, the four\n                    individuals completed the training and\n                    provided KPMG with supporting evidence.\n\n\n\n\n                                                          23\n  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                               Appendix C\n\n                                  Department of Homeland Security \n\n                               Transportation Security Administration\n\n                              Information Technology Management Letter\n                                         September 30, 2008\n\n                                                                                                  Disposition\nNFR No.         Description                                                                 Closed         Repeat\n\n TSA-IT-07-05    No formal procedures have been developed or implemented by                                 08-05\n                 Coast Guard Headquarters to address DHS requirements surrounding\n                 the suitability screening of contractors accessing DHS IT systems.\n                 DHS directives and policies require Coast Guard and other DHS\n                 components to ensure the completion of background investigations\n                 for all contractors accessing IT systems. The type of background\n                 investigations should be based on the risk level of their future\n                 position at CG and are required to be completed prior to the start of\n                 work. However, no CG guidance exists to require CG components\n                 to clear their contractors for suitability, especially those with\n                 sensitive IT positions.\n TSA-IT-07-06    The IT Security Awareness, Training and Education Plan lacks                               08-06\n                 appropriate criteria for defining personnel with significant IT\n                 responsibilities. Additionally, the personnel that are defined in the\n                 guidance are very limited and do not fully cover the scope of\n                 security responsibilities addressed in DHS requirements.\n TSA-IT-07-07    \xe2\x80\xa2 TSA management did not receive a response from the Federal Air             X\n                 Marshalls Service Division                 user base for the May and for\n                 the July 2007              review. Therefore, TSA assumed that no\n                 response indicated that all roles were appropriate and did not follow-\n                 up to ensure that a response was received.\n                 \xe2\x80\xa2 Privileges associated with each user were not included in the May\n                 and July 2007 reviews performed.\n\n                 We also noted that the accounts of terminated employees are not\n                 removed from the system in a timely manner. Although TSA\n                 requested that several of the accounts of terminated individuals be\n                 deactivated/end-dated by           , the requests were not submitted\n                 to FINCEN until months after the employees departed and we were\n                 unable to obtain evidence that these accounts had in fact been\n                 deactivated/end-dated.\n TSA-IT-07-08    \xe2\x80\xa2 The       application and database does not meet the password              X\n                 requirements noted in DHS Sensitive System Policy Directive\n                 4300A.\n                 \xe2\x80\xa2      accounts of terminated individuals are not removed in a\n                 timely manner including one individual who had user account\n                 management capabilities within the system.\n                 \xe2\x80\xa2      application and database accounts are not being reviewed for\n                 appropriateness.\n\n\n\n\n                                                     24\n  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                                Appendix C \n\n\n                                    Department of Homeland Security \n\n                                 Transportation Security Administration\n\n                                Information Technology Management Letter\n                                           September 30, 2008\n\n                                                                                                   Disposition\nNFR No.           Description                                                                Closed         Repeat\n\n TSA-IT-07-09      \xe2\x80\xa2 We were unable to obtain a copy of the       password                     X\n                   configuration. However, we performed a\n                   demonstration/walkthrough of the password with a             point of\n                   contact and were able to determine that the password configuration\n                   is not in compliance with DHS guidance.\n                   \xe2\x80\xa2 Although the      system has been configured to track and lock\n                   accounts that have not been utilized in 90 days, DHS guidance\n                   requires that accounts that have not been used in 30 days be\n                   deactivated.\n TSA-IT-07-10      An excessive number of individuals had user administration                  X\n                   capabilities within FPD until the implementation of the centralized\n                   user management (August 19, 2007). We also noted the existence of\n                   two shared generic accounts with this privilege:\n                   and                       . These accounts have every privilege within\n                   the application, including the ability to create/delete/modify user\n                   accounts within         .\n TSA-IT-07-11      \xe2\x80\xa2 Accounts of terminated employees and contractors are not removed          X\n                   from the system in a timely manner. Specifically, accounts of\n                   terminated employees and contractors have not been end-dated and\n                   accounts of terminated employees and contractors were not end-\n                   dated until months after their departure.\n                   \xe2\x80\xa2       periodic account reviews are not being performed to ensure\n                   that all users are current employees or contractors and that their\n                   privileges are still required to perform their job functions.\n                   \xe2\x80\xa2 Three of 15 Financial Systems Access Request Forms were not\n                   completed in their entirety. Specifically, the three forms did not\n                   contain the privileges that each user was to be granted within the\n                   system.\n TSA-IT-07-12 \n    The accounts of terminated contractors are not end-dated or disabled        X\n                   in a timely manner. Additionally, we noted that TSA has not\n                   developed policies or procedures that require a periodic review of\n                          application and database accounts, and their associated\n                   privileges, be performed to determine that access is appropriate.\n TSA-IT-07-13 \n    Management had not adequately completed the              Certification                    08-13 \n\n                   and Accreditation (C&A) package to include the                  system.\n                   Specifically,              management stated that Sunflower is a\n                   subsystem of          and a separate C&A does not need to be\n                   completed since it is covered by the         C&A Package. However,\n                   we determined that there is no documentation within the\n                   System Security Plan that defines                as a subsystem and\n                   specifically addresses the appropriate security controls for\n                   in this capacity.\n TSA-IT-07-14                          systems have been configured to automatically           X\n                   end date accounts that have not been used in six months; however,\n                   DHS guidance requires accounts that have been inactive for 30 days\n                   be disabled.\n\n\n                                                       25\n  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                             Appendix C\n\n                                  Department of Homeland Security \n\n                               Transportation Security Administration\n\n                              Information Technology Management Letter\n                                         September 30, 2008\n\n                                                                                                Disposition\nNFR No.         Description                                                               Closed         Repeat\n\n TSA-IT-07-15    The policies and procedures over a formalized sanctioning process                        08-15\n                 have not been fully developed and implemented. Specifically, the\n                 policies and procedures do not include consequences for individuals\n                 who do not sign the computer access agreements or complete initial\n                 or refresher security awareness training. Furthermore, out of the\n                 nine individuals selected, only one had completed a Computer\n                 Access Agreement.\n\n                 Additionally, we determined that TSA allows individuals to\n                 complete security awareness training within sixty days of beginning\n                 work and gaining access to their         and application accounts.\n                 However DHS guidance requires that all individuals complete\n                 security awareness training prior to gaining access to the Information\n                 systems. Furthermore, out of the selection of nine individuals, one\n                 contractor had not completed initial security awareness training this\n                 fiscal year and a second employee had not completed their refresher\n                 training for this fiscal year.\n TSA-IT-07-16    Procedures are not formally documented requiring the review of the         X\n                 activities of the        system administrators. We also noted that\n                 reviews of the audit logs that document the actions of\n                 administrators in the            operating environment are not being\n                 performed.\n TSA-IT-07-17    Procedures are not formally documented identifying how change              X\n                 control should be performed when applying system software\n                 changes, including software patches, to the          operating system\n                 according to a standard schedule or in an emergency situation.\n                 While a policy exists, it lacks detailed procedures in order to be\n                 effective.\n TSA-IT-07-18    Configuration management weaknesses continue to exist on hosts                           08-18\n                 supporting the               and            applications and the     .\n\n                 Note: See the tables in the NFR for the specific conditions.\n TSA-IT-07-19    Patch management weaknesses continue to exist on hosts supporting                        08-19\n                 the           and             applications and the      .\n\n                 Note: See the tables in the NFR for the specific conditions.\n\n\n\n\n                                                    26\n  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                               Appendix C \n\n\n                                  Department of Homeland Security \n\n                               Transportation Security Administration\n\n                              Information Technology Management Letter\n                                         September 30, 2008\n\n                                                                                                Disposition\nNFR No.         Description                                                                 Closed       Repeat\n\n TSA-IT-07-20    Implementation of the formalized exit process for TSA personnel                          08-20\n                 policies and procedures has not been fully executed. Specifically,\n                 only eleven (11) out of a selection of thirty (30) TSA 1402 Forms,\n                 the Separating Non-Screener Employee and Contractor IT\n                 Certificates, were received. Additionally, of the eleven received,\n                 seven (7) of the forms did not have the appropriate TSA\n                 application(s) identified in order to deactivate the separating\n                 employee\xe2\x80\x99s accounts.\n\n                 Furthermore, we selected thirty (30) TSA 1163 forms, the Employee\n                 Exit Clearance form, for both contractors and TSA personnel and\n                 only received nine (9) completed forms. The purpose of the 1163\n                 form is to document sign-offs for access removal of financial and\n                 related administrative system accounts for applications such as\n                                         access to the Intranet.\n TSA-IT-07-21    1. TSA has not fully documented policies and procedures                                  08-21\n                 surrounding the change control process for          to define the\n                 overlap in the responsibilities between TSA and               or\n                 guidance for ensuring that changes that are passed/deferred to\n                            are tested and operate appropriately prior to approval by\n                 TSA and implementation into production.\n                 2. Additionally, TSA does not consistently retain documentation\n                 associated with the                   changes.\n                 3. Policies and procedures for the emergency change control process\n                 are not documented.\n TSA-IT-07-22               has not fully developed and implemented their policies and                    08-22\n                 procedures for the change control and emergency change control\n                 process to guide staff in the implementation of this process at\n                           . Specifically, we noted that the policies and procedures\n                 remain at a high-level and to do not include requirements for who is\n                 responsible for the initial approvals of the changes proposed by the\n                 vendor, including technical changes, the testing plan requirements\n                 for each phase of testing                               and the capacity\n                 in which             is involved, and the final approval of all changes\n                 to the system. Instead, the procedures detail the overall process and\n                 phases for               and             change control, but lack\n                 detailed guidance for the roles and responsibilities executed by\n                            personnel.\n\n                 Additionally, we noted that           follows the same change\n                 control process for emergency changes. However, the details\n                 surrounding that emergency change control process are not formally\n                 documented in the             procedures for            and\n                            . For example, requirements for the categorization of\n                 priority levels and response time requirements for each priority level\n                 are not included.\n\n\n\n                                                     27\n  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                              Appendix C \n\n\n                                  Department of Homeland Security \n\n                               Transportation Security Administration\n\n                              Information Technology Management Letter\n                                         September 30, 2008\n\n                                                                                               Disposition\nNFR No.         Description                                                                Closed       Repeat\n\n                 Furthermore,           has not fully implemented the procedures\n                 documented in the                           System Change\n                 Procedures. Specifically, we noted that\n                           were not completed for changes made to the        suite as\n                 of June 2006.\n\n                 Upon review of a selection of changes, we determined that\n                 is not consistently retaining documentation to support the change\n                 control and emergency change control process. Specifically, we\n                 inspected documentation associated with 30                and\n                              system changes and emergency changes and determined\n                 that various pieces of supporting documentation (i.e., functional\n                 resolution documents, test plans for the different phases of testing,\n                 evidence of testing, and approvals) were insufficient and/or not\n                 available for all 30 of the changes and emergency changes selected\n                 for testing.\n TSA-IT-07-23    Coast Guard change controls related to Coast Guard and TSA                              08-23\n                 financial systems are not appropriately designed, operating\n                 effectively or in compliance with Office of Management and Budget\n                 Circular No. A-130, Security of Federal Automated Information\n                 Resources, the DHS Sensitive System Policy Directive 4300A and\n                 the National Institute of Standards and Technology Special\n                 Publications. Coast Guard has and continues to operate a separate,\n                 informal and largely undocumented change development and\n                 implementation process effecting Coast Guard and TSA Financial\n                 Systems, outside of and conflicting with the formal change control\n                 process. Coast Guard is unable to provide a complete population of\n                 implemented scripts, to include the type, purpose and intended effect\n                 on both CG and TSA financial data. The implemented process is\n                 ineffective as the approval, testing and documentation procedures of\n                 the script changes are not appropriately designed and the current\n                 process is ineffective to control the intended and actual effect on\n                 TSA financial data. Coast Guard has only eliminated a small\n                 number of the scripts used on a consistent basis and is projecting that\n                 this approach will continue into the delivery of           and beyond.\n\n TSA-IT-07-24    Civilian background investigations and reinvestigations are not                         08-24\n                 being performed in accordance with DHS guidance. Specifically,\n                 sixteen (16) out of twenty (20) individual background investigations\n                 reviewed did not meet the DHS minimum standard of investigation\n                 of an MBI per DHS Sensitive System Policy Directive 4300A.\n\n                 Furthermore, upon review of a selection of five (5) civilian\n                 personnel, one (1) individual had an investigation that had not been\n                 adjudicated since 1988. DHS guidance requires that civilian\n                 personnel are reinvestigated every ten (10) years.\n\n\n\n                                                     28\n  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                                            Appendix C\n\n                                  Department of Homeland Security \n\n                               Transportation Security Administration\n\n                              Information Technology Management Letter\n                                         September 30, 2008\n\n                                                                                               Disposition\nNFR No.         Description                                                              Closed         Repeat\n\n TSA-IT-07-25    TSA has not taken corrective actions to develop and implement TSA         X\n                 specific change control policies and procedures for the TSA\n                             change control or emergency change control process.\n                 Furthermore, upon review of a selection of changes, we determined\n                 that TSA is not consistently implementing the change control\n                 process. Specifically, we inspected documentation associated with\n                 seven              system changes and emergency changes and\n                 determined that supporting documentation (i.e., test plans, evidence\n                 of testing, and approvals to move the change into production) were\n                 not available for all seven of the changes and emergency changes\n                 selected for testing.\n\n                 Additionally, KPMG noted that testing was not fully completed by\n                 TSA prior to passing the change for testing for three of the changes.\n\n\n\n\n                                                    29\n  Information Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                            Appendix D \n\n\n                           Department of Homeland Security \n\n                        Transportation Security Administration\n\n                       Information Technology Management Letter\n                                  September 30, 2008\n\n\n\n\n                                   Appendix D \n\n\n                            Management Comments \n\n\n\n\n\n                                         30\nInformation Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                            Appendix D \n\n\n                           Department of Homeland Security \n\n                        Transportation Security Administration\n\n                       Information Technology Management Letter\n                                  September 30, 2008\n\n\n\n\n                                         31\nInformation Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                                                                            Appendix D \n\n\n                           Department of Homeland Security \n\n                        Transportation Security Administration\n\n                       Information Technology Management Letter\n                                  September 30, 2008\n\n\n\n\n                                         32\nInformation Technology Management Letter for the FY 2008 TSA Financial Statement Audit\n\x0c                            Department of Homeland Security \n\n                         Transportation Security Administration\n\n                        Information Technology Management Letter\n                                   September 30, 2008\n\n                    Report Distribution\n\n                    Department of Homeland Security\n\n                    Secretary\n                    Deputy Secretary\n                    Chief of Staff for Policy\n                    Chief of Staff for Operations\n                    Acting General Counsel\n                    Executive Secretariat\n                    Under Secretary, Management\n                    Acting Assistant Commissioner, TSA\n                    DHS Chief Information Officer\n                    DHS Chief Financial Officer\n                    Chief Financial Officer, TSA\n                    Acting Chief Information Officer, TSA\n                    Chief Information Security Officer\n                    Assistant Secretary for Policy\n                    Assistant Secretary for Public Affairs\n                    Assistant Secretary for Office of Legislative Affairs\n                    DHS GAO OIG Audit Liaison\n                    Chief Information Officer, Audit Liaison\n                    TSA Audit Liaison\n\n                    Office of Management and Budget\n\n                    Chief, Homeland Security Branch\n                    DHS OIG Budget Examiner\n\n                    Congress\n\n                    Congressional Oversight and Appropriations Committees as\n                    Appropriate\n\n\n\n\n                                           33\n\nInformation Technology Management Letter for the FY 2008 TSA Financial Statement Audit \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"